[Openswan Users] Terminating VPN on the NAT gateway
Simon Deziel
simon at xelerance.com
Wed Jun 12 13:07:56 UTC 2013
On 13-06-12 06:20 AM, Binand Sethumadhavan wrote:
> On 11 June 2013 17:58, Binand Sethumadhavan <binand at gmx.net> wrote:
>> I can see in tcpdump that the source IP of packets from BB endpoint to
>> AA endpoint is set to the WAN-side IP of BB. Why is this so?
>
> This now works for me after I added this iptables rule:
>
> iptables -t nat -I POSTROUTING -s a.b.c.d -d 10.13.16.0/23 -j SNAT
> --to-source 192.168.100.1
>
> No documentation says such a step is needed. Is there something I am
> missing elsewhere in my config?
In general, it's best to avoid NAT'ing for all IPsec related traffic. I
recommend using this one:
iptables -t nat -I POSTROUTING -m policy --dir out --proto esp -j RETURN
Regards,
Simon
More information about the Users
mailing list